Documente Academic
Documente Profesional
Documente Cultură
Fotis Zygoulis
fotiszygoulis@gmail.com
fotiszygoulis@iraklio.gr
Page 1 / 18
The Implementation of GDPR in Greece – A Case Study
Table of Contents
Introduction ............................................................................................................................... 3
Terminology and Theoretical Basis ........................................................................................... 4
Legal bases ........................................................................................................................ 4
The rights for individuals .................................................................................................. 4
Case Law in Greece.................................................................................................................... 7
Implementation Methodology .................................................................................................. 8
Case Study: the implementation of GDPR in the Municipality of Iraklio Attikis in Greece ....... 9
References ............................................................................................................................... 18
Page 2 / 18
The Implementation of GDPR in Greece – A Case Study
Introduction
The implementation of the GDPR Law in Greece has allowed the emergence of specific
problems related to the levels of all Administrative Structures. In this draft we examine a
case – study concerning the implementation of GDPR Law in the Municipality of Iraklio
Attikis in Greece.
Page 3 / 18
The Implementation of GDPR in Greece – A Case Study
The Directive’s full name is ‘Directive (EU) 2016/680 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the processing
of personal data by competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties, and on
the free movement of such data, and repealing Council Framework Decision 2008/977/JHA’.
It is more widely known as the Law Enforcement Data Directive and it focuses on the
protection of natural persons when their data is processed for preventing, investigating and
prosecuting criminal offences, governing law enforcement agencies and how they process
data in performing their tasks.
Legal bases
The six legal bases for processing data, as defined under Article 6 of GDPR, are:
Performance of a contract
Legal obligation
Performance of a task in the public interest
Consent from the individual
Legitimate interest
Protect the vital interests of an individual
The rights for individuals are established throughout the whole of Chapter III of GDPR, where
they are specified with stipulations regarding how and when organisations must honour
those rights, and some limitations to those rights.
GDPR does not make specific law around cyber security, but it does require that data be
handled securely and gives some broad requirements on what that means. In recognition of
this, a reform of EU laws for ePrivacy is also underway. In line with the evolution of GDPR as
a regulation, an existing ePrivacy Directive is also being replaced by a new Regulation.
Known as the ePrivacy Regulation, this focus is on trust - by assuring the security and
confidentiality of data and meta-data as it is communicated.The new regulation will look to
Page 4 / 18
The Implementation of GDPR in Greece – A Case Study
specify clearer rules to protect this data, conferring power for their enforcement on the
supervisory authorities.
GDPR is a good example of where a regulation allows a Member state to handle certain
aspects as part of their local statute, including drafting laws that defines a supervisory
authority and setting the age at which parentalconsent is not needed for children (though
no younger than 13, as we discussed earlier this week). The intention is for GDPR to work
with limited friction with existing laws and how Member States prefer to handle specific
affairs, where the Regulation allows this.
Case studies
Austria. Directive 95/46/EC was implemented in Austria by the Austrian Data Protection Act
2000. The new EU 2016 Regulation was due to take effect from May, 2018 and applies to
both the Controllers of Data and the Processors of data. While the Austrian Data Protection
Act continues, many of its provisions were modified to suit the new regulations. The Act was
well thought out and implemented and addressed all aspects of the new regulations -
sometimes even exceeding its requirements.
Spain. EU Data Protection Directive (95/46/EC) was transposed through the Organic Law of
Data Protection on December 1999. It comes into force in January 2000. The Organic Law
was developed through the Royal Decree-Law 1720/2007.
Data Protection Spanish Agency was established in 1994.
GDPR replaced these previous regulations.
Poland. GDPR replaced the previous act on personal data protection of 1997 which had been
implemented based on the 1995 directive. The EU regulations are binding directly with no
need to "implement" them to the legislation of said member country and so it functions in
Poland - GDPR is applied directly without any internal act that incorporates GDPR in parts or
in full. We have an act on personal data protection which replaced the previous act of 1997,
but it only contains the stipulations of organisational nature (like the status of supervisory
authority) or other left for the competence of member state jurisdiction.
Italy. It has implemented Directive 95/46/EC on data protection through Legislative Decree
No. 196/2003, the Italian Data Protection Code.
On the 8th of August 2018 has been approved the Italian privacy law integrating the GDPR.
The legislative decree integrating the GDPR has been published on the Official Gazette on
19/09/2018 and has been binding with effect from the 19th of September 2018. Rather than
removing the existing Italian Privacy Code, the government decided to amend the existing
Italian Privacy Code to align it to the GDPR and replacing whole sections by means of a cross-
reference to the GDPR.
Page 5 / 18
The Implementation of GDPR in Greece – A Case Study
account. This includes by reconstituting the role of France's data protection authority, the
Commission Nationale de l’informationet des Liberties (CNIL). According to the new laws, a
child can give their consent to the processing of personal data with regard to the direct
provision of information society services from the age of 15. Where the child is under 15
years of age, processing shall be lawful only if consent is given jointly by the child and their
parent or guardian. Information society service providers must draft in clear and simple
terms, easily understandable by the child, information relating to the processing operation
concerning him or her.
Denmark. The Danish Parliament approved the Data Protection Act on May 23, 2018. The
law brings the country's data protection regime in line with the EU General Data Protection
Regulation. The age limit for consent from children in order to use information society
services (social media, apps, etc.) was lowered to 13 years.
Most important derogation (partial appeal) from the GDPR is that the act allows processing
of normal and sensitive data in connection with personnel administration on the basis of
legitimate interests that arises from legislation or collective agreements. This also applies to
public authorities which cannot normally rely on legitimate interest. About 80 data breach
notifications are received each week — making Denmark number one in the EU on the
number of reported breaches when the size of the population is taken into account.
Germany. The first country in the world to introduce law on Data protection
Datenschutzgesetzgebung (BDSG) in 1970. Germany has some of the strictest Data
protection laws in the world, but amendments to BDSG to take into account the provisions
of the EU Data Protection Directive October 1995 were not implemented into national law
until 2001.
With the introduction of GDRP, Germany has introduced the new German Privacy Act
(BDSG-new) which complements GDPR.
Who is affected?
Pretty much any EU citizen about whom personal data is captured, stored and used in any
way, as well as the people who are handling that data and the organisations they are
working for. Remember, this relates to customers, staff and legal entities and GDPR is extra-
territorial; in other words, it relates to data about EU citizens wherever it may be processed
Page 6 / 18
The Implementation of GDPR in Greece – A Case Study
in the world. There are special provisions for children, to which we will refer you throughout
the course.
Responsibility tends to be spread across people who take on specific roles as defined by
GDPR, such as the datacontroller, but there are contractual responsibilities that will be held
by the people and organisations handling the data on behalf of the datasubject, as well as
any other people they subcontract to, referred to in GDPR as the data processor.
Ethics and confidentiality for instance are enshrined in other laws across Europe, usually as
a matter of Member State law and / or international principles and conventions.
The intention is that GDPR will work seamlessly with these existing laws, but when
understanding GDPR and its scope, it is important to make sure that you do not confuse
other laws and good practice with GDPR provisions – these are all intended to work
together.
The same is true for what Member State laws permit in terms of surveillance and monitoring
of individuals. What is specified in other laws regarding surveillance must be balanced with
the requirements of GDPR, but remember that one of the legal bases for processing relates
to legal obligation – where processing may proceed in line with other laws. Arguably, GDPR
provides a basis for Member States to better balance individual rights against other
surveillance laws where there are grey areas.
To illustrate what is meant by seamlessness in this context, alongside GDPR, the EU also
passed into law a new Directive that was designed to modernise data handling for judicial
and police services around Europe with direct reference to the principles and provisions in
GDPR.
The GDPR repeals Directive 95/46 / EC, which was incorporated by the EU Member States,
in Greece by the Law 2472/1997. Under the draft law on the Greek Data Protection Act, Law
2472/1997 will also be abolished in its entirety.
In Greece, GDPR has not yet implemented by a law on the basis of law enforcement.
Unfortunately, Greece is among the last three EU countries that have not yet voted on a
GDPR implementing law. The Legislative Committee had delivered the relevant draft law to
the Minister a year ago. After the completion of the relative consultation, a reformulated
version of the draft will be submitted on the basis of the comments that emerged from the
consultation.
Nevertheless, there has been no news concerning the fate of the necessary bill until the end
of last November 2018, when the Legislative Committee was reassembled at the initiative of
the new Minister of Justice with the addition of new members. At the beginning of January
2019, Mrs. Mitrou submitted her resignation and the new committee, chaired by Mr
Page 7 / 18
The Implementation of GDPR in Greece – A Case Study
Philipoulos has a deadline to deliver a new draft on the implementation of the GDPR Law by
the end of February 2019.
Implementation Methodology
In all Greek Public Organizations and particularly in the Greek Municipalities, an attempt has
been made to integrate the GDPR with a specific methodology that involves the recruitment
of outsourced specialized consultants on this issue.
Deliverable 1:
It concerns the evaluation of the Current Situation by mapping it (Data Mapping) in relation
to the Municipality's readiness to apply the new General Regulation for the Protection of
Personal Data by applying, investigating the deviations of the operation from the Regulation
- Gap Analysis.
More specifically, identifying the personal data managed by the Municipality, identifying
those categories and the categories of those subjects related to personal data, and then
analyzing all the processes related to them, using a flow chart / study of data and processes
to represent them in the framework of this correlation.
Next, and on the basis of this analysis, a comparison will be made in relation to the articles
of the Regulation and its paragraphs in order to succeed the needed compliance with the
Regulation and in the framework of drawing up a list of deficiencies, risks and compliance
requirements - Risk Analysis,
Finally, we follow the Data Protection Impact Assessment assessing the data protection
implications for identifying the most important risks.
Deliverable I (P-I): (I.1.): Data Mapping / Gap Analysis Report, (I.2.) Risk Analysis Report, (I.3.)
Impact Assessment Report
Page 8 / 18
The Implementation of GDPR in Greece – A Case Study
Deliverable II (P-II): Design, Development and Adoption of the Information Security System -
GDPR Compliance Plan Compliance Plan - GDPR (Compliance Plan)
During this stage, an Information Security System will be developed and adopted, as well as
the GDPR Compliance Plan (GDPR Compliance Plan).
The latest Action Plan to be complied with will be an integrated methodology of action,
detailed at each step, which, if executed as a whole, will result in the Municipality’s
compliance with the Regulation. The GDPR Compliance Plan includes, among other things: -
the development of a manual of policy - staff training – development an ISO 27001
information security management system.
Deliverable II (II-II):
In the Municipality of Iraklion Attikis, an attempt has been made to incorporate the GDPR
by adopting a full implementation of the legislation and the appointment of a DPO.
1. Data Policy of the Local Government Organization of the Municipality of Iraklion Attikis,
Greece
The data (in physical and digital form) are critical data for the Municipality of Iraklion Attikis,
and their proper handling is necessary for their use, processing, storage, deletion processes
and the procedures taken to identify new collections of data and justify the continuation of
existing ones.
The Data Policy of the Municipality of Iraklion Attikis includes the collection and processing
of personal, financial information if one or more of the following conditions are met:
• The Municipality of Iraklion Attikis has a strategic need for information and data.
Page 9 / 18
The Implementation of GDPR in Greece – A Case Study
The data must be collected in such a way that the rights and privacy of the subject are taken
into account, in accordance with the GDPR regulations. When third parties, collectors collect
data for the Municipality of Iraklion Attikis, or acquire data, an agreement must be
developed between the Municipality of Iraklion Attikis, and the external partner, ensuring
the confidentiality and the security of the data. To that end, the DPO of the Municipality
should be informed in any case of the drawing up and monitoring of this contract.
• Types and categories of personal data - Object, nature and purpose of the whole
processing
• Retention of data
Depending on the level of confidentiality and criticality, data can classified into the following
categories:
All personal data must have a data Keeper - holder. It is forbidden to print documents that
are classified as confidential, unless it is necessary. When they are destined to be destroyed,
they must not be able to be recovered (physical form) or deleted in a secure manner (digital
form).
Page 10 / 18
The Implementation of GDPR in Greece – A Case Study
Where required by a law or a contract, the Municipality of Iraklion Attikis, should provide
information to interested parties for the purposes of the processing of their personal data.
The notification to the data subject must be no later than:
• At the time of disclosure, unless a legal notice already exists or a legal exemption is in force
for the disclosure requirements
The Municipality of Iraklion Attikis should receive personal data by legal and fair means and,
where appropriate, with the knowledge and consent of the data subject. Consent must be
documented. It must be given for each specific function and purpose of the processing and
the data subject must be able to withdraw the consent as easily as they gave it. When there
is a need to request and obtain the consent of a person prior to the collection, use or
disclosure of their personal data, the Municipality of Iraklion Attikis, should seek to obtain
such consent.
The Municipality of Iraklion Attikis must be able to prove that the data subject:
• Has explicitly given its consent to the processing of their personal data
• Has consented to the processing of their personal data for one or more specific reasons.
• The consent form is understandable, easily accessible and easily distinguishable from any
other subject related to the data subject.
• The data subject has been informed of the right to withdraw their consent at any time.
The City of Iraklion Attikis must be able to prove that the data subject has the right
to withdraw their consent at any time (In this case, the data subject must request the
withdrawal of consent). While processing of data has multiple purposes, the Municipality of
Iraklion Attikis, must be able to demonstrate that the withdrawal of consent is valid for all
the specific purposes. For the access procedure, the data subject must provide the
appropriate evidence, identity card, valid passport or driving license. The date, the
identification checks and the type of data requested should be recorded. The Municipality of
Iraklion Attikis, Attica, has a month from the date of the application to provide the
requested information. The request for access shall be forwarded to the Data Protection
Officer, who shall ensure that the requested data is collected within the time frame.
The Municipality of Iraklion Attikis uses personal data for specific purposes in order to
provide and / or manage functions and services. Every department of the Municipality of
Iraklion Attikis, will process the personal data in accordance with all applicable laws,
obligations, contracts and regulations. Processing involves the execution of any act in data,
Page 11 / 18
The Implementation of GDPR in Greece – A Case Study
The data subject has the right of access to know the purposes of the data processing, the
categories of processed personal data, the recipients or the categories of recipients who will
disclose the data, how long the data will be stored and their right to correction or delete.
Personal data will not be processed unless one of the following conditions is met: The data
subject has given their consent to the processing for one and / or more specific purposes. -
Processing is necessary for the execution of a contract where the subject is part or will be on
completion of relevant actions - Processing is necessary for the exercise of public authority -
Processing is necessary, through a legal obligation.
The Municipality of Iraklion Attikis, will inform individuals about the collection and use of
their personal data, including the purposes and legal basis of processing, transport and
retention periods. The Municipality of Iraklion Attikis should provide access to the data. The
subject's access requests must be recorded and an appropriate action must be taken within
specific time limits. Data subjects have the right to receive confirmation regarding the
processing and copying of their personal data. The data subject may apply for a correction in
case of inaccurate, incomplete or new personal data. The answer should be given within one
month to any reasonable request for correction. The data subject has the right to request
that the processing of his or her personal data be restricted. Once the right is exercised, only
data storage is allowed. The data subject has the right to oppose the processing of his or her
personal data. The response will be immediately applicable and the Municipality of Iraklion
Attikis will no longer process personal data, unless legitimate reasons prevail, overriding the
interests and rights of the subject. The subject of the data should be informed by the
Municipality when its data are subject to automated processing, decision making
(automated means: without human intervention) and profile preparation (automated
processing). Data subjects have the right to require the deletion of their personal data and
their deletion from the processing process under certain circumstances.
Children's personal data should have additional technical safeguards when services are
offered directly to children. (Especially in cases handled by the Social Policy Department of
the Municipality).
The Municipality of Iraklion Attikis will adopt the procedures to ensure the exercise of the
data subjects' rights. In particular, Article 12 of the GDPR provides arrangements for the
fundamental rights of the data subjects, namely the right to information, access, correction,
as well as the right to oblige, limitation of processing and opposition. In this regard, the
Page 12 / 18
The Implementation of GDPR in Greece – A Case Study
Municipality of Iraklion Attikis will adopt these measures in order to be able to respond to
the requests of the data subjects.
In accordance with Article 26 of the GDPR, all stakeholders that will jointly define the
purposes and the means of processing will also be treated as joint data controllers.
Furthermore, in this respect, joint data controllers shall clearly define their respective
responsibilities for compliance with obligations under the GDPR Regulation, in particular as
regards the exercise of the rights of the data subject and their respective duties. Therefore,
the data subject can exercise his or her rights against and against each of the controllers.
Therefore, the Municipality of Iraklion Attikis, as a data processor when signing contracts
with third parties must indicate its obligations under Article 26 of the GDPR. Another
example of joint data controllers in cases where the City processes personal data through
platforms of Ministries is the KEP Directorate (e.g. HERMES platform).
Particularly speaking for the processing of data of sensitive social groups in the Municipality
of Iraklion Attikis handled by the Social Policy Department, it is necessary to adopt a strict
framework for the processing of sensitive personal data, since they reveal racial or ethnic
origin, political opinions, religious or philosophical beliefs or trade union membership, as
well as genetic and biometric information, as well as information on health, sexual individual
vivo or sexual orientation.
At this point, special mention should be made in cases where the complaints are submitted
to the municipality through the telephone number of the latter for the citizens (case of the
gov.e-irakleio.gr platform). The Municipality of Iraklion Attikis , Attica, before collecting the
personal data of the individual subjects, will inform them about the purpose of processing
their data. This suggestion is not limited to the telephone complaints of the subjects but is
applicable and in any case the Municipality processes the personal data of the subjects by
telephone.
Page 13 / 18
The Implementation of GDPR in Greece – A Case Study
The DPO plays a key role in developing a culture of data protection within the Municipality
of Iraklion Attikis, and contributes to the implementation of essential elements of the GDPR,
such as the principles of data processing, the rights of data subjects, data protection already
in design and by definition, records of processing activities, security of personal data and
disclosure and communication of data breaches (Articles 25, 30, 32, 33, 34).
Pursuant to Article 38 of the CPC, the data processor and the data controller shall ensure
that the DPO is duly and timely involved in all matters relating to the protection of personal
data.
Article 38 (3) refers as follows: "The DPO does not receive instructions to carry out his/her ...
duties." Furthermore, it states that the DPOs "whether or not they are employees of the
Municipality, they must be able to carry out their duties and tasks in an independent
manner. "
Selection of organizational safeguards and techniques to mitigate risks to the rights of data
subjects
Under Article 39 (2), the DPO 'shall take account of the risk associated with the processing
operations, taking into account the nature, scope, purpose and purpose of the processing'.
The DPO of the Municipality of Iraklion Attikis is not personally liable for non-compliance
with data protection requirements. Compliance with the protection rules is the
responsibility of the data controller or the data processor inside the Municipality of Iraklio
Attikis in Greece.
Standard in general
The purpose for which the subject's data will be used should be entered in the
"import target" field.
Example:
Page 14 / 18
The Implementation of GDPR in Greece – A Case Study
In the application form for the "Renewal and Examination of the Trade and
Commerce Exercise License", the phrase concerning Law 4497/2017 will be added,
which will take the following final form:
"The municipality of Iraklion Attikis informs that, according to Article 6.1 (e) of
Regulation (EU) 2016/679 (General Data Protection Rule), the processing of the
personal data of that subject is necessary for the performance of a task which is
carried out in the public interest or in the exercise of the public authority assigned to
the controller, namely the Municipality of Iraklion Attikis , and in this case the
renewal / approval of a trade license, based on the Law 4497/2017 as in force. "
In this example, the scope: processing purpose is: and in this case the renewal /
approval of a permit for outdoor trade under the provisions of Law 4497/2017,
The above standard applies to all addresses of the Municipality of Iraklion Attikis
according to the purpose of the processing of its transactions with citizens and
institutions in which personal data is subject.
It is noted that it is not necessary for the moment to include a statement of consent
in the documents of the Municipality of Iraklion Attikis, regarding its transactions
with the citizens. On the contrary, the above-mentioned text of compliance-inclusion
in the official documents is considered necessary and obligatory for all the
Directorates of the Municipality of Iraklion Attikis.
At the same time it is necessary to place a legal disclaimer and mention the cookies
policy on the website of the Municipality of Iraklion Attikis, as well as the disclaimer
of personal data in the signing of the employees of the Municipality of Iraklion Attikis
, Attica, when using their official email. This model will be developed in cooperation
with the Head of the Department of Informatics in the Municipality of Iraklio Attikis.
This requires changes to the conditions of use of the media.
Page 15 / 18
The Implementation of GDPR in Greece – A Case Study
Compliance forms
Consent Form
Steps of compliance
The steps taken in compliance with the Municipality of Iraklion Attikis are as follows:
Employees training
Informing all the staff of the Municipality of Iraklion Attikis , Attica for the new
regulation
Page 16 / 18
The Implementation of GDPR in Greece – A Case Study
The CPC is not only archives, policies and procedures, but adopts a new
organizational culture in the Municipality of Iraklion Attikis , Attica.
The problems are related to the general delay in the implementation of European
legislation in Greece. More specifically:
2. The DPO has no legal and administrative powers but he only has a consultative
role.
Page 17 / 18
The Implementation of GDPR in Greece – A Case Study
References
Page 18 / 18